I’m currently having an issue that I’ve never encountered before and I’ve hit a complete brick wall regarding it.
I’m working on a project that uses this: GitHub - mageddo/dns-proxy-server: Solve your DNS hosts from your docker containers, then from your local configuration, then from internet docker image to run a DNS server within a container.
This container expects a bind mount from the host’s /etc/resolv.conf to the same file in the container in order for it to modify the host’s DNS settings to add itself as the default DNS server on the host.
Problem is, every time the server starts, it throws an error ‘operation not permitted’ because it can’t write to /etc/resolv.conf. Now on a mac this is a symlink to /var/run/resolv.conf. But even mounting the original file in, still faces permission issues. The only solution seems to be to chmod a+rwx (or at the very least g+w) the file, in which case it then works. The problem with that is, our VPN client rewrites this file every time it connects or disconnects and does so with the default u+rw permissions.
I considered whether it was MacOS System Integrity Protection (SIP), but I disabled that to ensure it wasn’t the cause.
Then I looked at whether it was the new gRPC Fuse system, but disabling that and even downgrading Docker to 2.3 didn’t work.
I’ve confirmed that both the UID and GID of the file is the same as the user in the docker container (root). I’ve even gone as far as to try a user directive to set the UID and GID of the user in the container to be identical to the one with permissions to access the file on the host, to no avail.
This doesn’t seem to just affect one file either. If I mount /etc or /var/run to any random directory on the container and then try and even create a file in the mounted directory, it says the directory isn’t writeable.
I’m sort of out of ideas. Has anyone seen this before?
This can be illustrated by exec in to the following running container:
docker run -v /private/var/run/resolv.conf:/root/resolv.conf --user 0:1 ubuntu tail -f > /dev/null
Try then to exec in and run a chmod on resolv.conf or even just edit it.